z-image-studio

File upload (`/loras` endpoint) allows `.safetensors` files up to 1GB. While `safetensors` are generally safer than `pickle`, a malicious file could potentially exploit vulnerabilities in the `diffusers` loading process. The server performs hash checks and filename collision resolution, and files are stored in a dedicated `loras` directory. URL construction for `ResourceLink` in MCP SSE/Streamable HTTP modes relies on extracting base URL from request headers (`X-Forwarded-Proto`, `X-Forwarded-Host`) if `ZIMAGE_BASE_URL` is not set. In a misconfigured proxy environment, these headers could be spoofed, potentially leading to incorrect or malicious resource URIs. However, path traversal within the URL is mitigated by `urllib.parse.urljoin` and `urllib.parse.quote` for file paths. Image saving (`save_image`) includes robust path safety checks to prevent directory traversal attacks.